Uncategorized

This blog post is intended to help lay the groundwork to eventually setup and configure Mutual Authentication (Two Way TLS/Client Cert). For now, I will demonstrate how to just setup and configure basic SSL in IIS Express. For this exercise, I will be using a self-signed certificate that Visual Studio automatically generates and installs for us.

In the next blog, I will then show how to setup and configure a Client Cert for Mutual Authentication for your Web API. Finally, I will demonstrate how to deploy this to an Azure App Service and test using Chrome and Postman.

Prerequisites: Visual Studio 2017 Community Edition on Windows 10 Home Edition or similar development environment.

Assumption: You know C#, WebApi and do not need every exact step for creating a Web API project.

Creating a Sample Project

First, let’s start by creating an Empty WebApi project.

After clicking the “Ok” button, then check MVC and WebApi.

Then click “Ok” again. Now we are ready to add a new API endpoint. Right click on the Controllers folder and add a new Controller. Since this is a WebApi, make sure your controller inherits from ApiController.

Note: Your URL may be different. Check the properties of your project for the URL your project is configured for. It will usually very by port number.

Now we know we have a working API. Let’s configure SSL.

Configuring SSL

This is really, really difficult so make sure your read carefully (note the sarcasm). Microsoft has really overly simplified this process compared to 10 years ago. First, right click on the project and click “Properties”.

In the “Properties” section, enable SSL.

Now, run the WebApi. The first time when your run the WebApi project, you will need to trust the IIS Express SSL Certificate.

Then another dialog will pop-up asking you to install the certificate.

Once this is up and running, let’s test the endpoint using HTTPS. Obviously, make sure your are using the appropriate URL when testing HTTPS.

Notice that both HTTP and HTTPS URLs will work. It is up to you to decide if you need to block access to your endpoints for HTTP. There are several ways to do that.

Conclusion

This blog has demonstrated how simple it is now to develop and run Web API in IIS Express using SSL. Ten years ago doing this was very convoluted and error prone. Now it is overly simplified so any developer can easily setup their dev environment to run SSL. Next, I will dive into Mutual Authentication for IIS Express.